cancel
Showing results for 
Search instead for 
Did you mean: 
carols
Community Participant

Configuring SSO SAML for AzureAD - passing login_id to Canvas

Hi all
We have been configuring the SSO SAML configuration in Canvas to point to our AzureAD as per the guidance and instructions found here:

https://community.canvaslms.com/docs/DOC-1402-configuring-azure-saml-and-canvas-authentication

The AzureAD side of things appears to be working and confirms successful login. However once the login process hands off to Canvas, we get the error message "No such account for user username@domain".  The usernames we are using for testing do exist in Canvas and our Canvas user accounts all have a login entry containing the account information it claims to not be able to find.

The Login attribute being used is "Name ID" as set in the instructions but our ADFS service uses "eduPersonPrincipalName" and works login into Canvas - but does not work for AzureAD into Canvas.
In addition to authentication via ADFS, some admin users also have a direct login using a manually created login and password. These manual authentication modes tend to use the friendly email address (c.shergold@sussex.ac.uk)
So for me, AzureAD is passing carols@sussex.ac.uk but actually when I look at my user record via an API call, my login_id in Canvas was set to c.shergold@sussex.ac.uk.
I edited my user settings so that the manual authentication method also was set to carols@sussex.ac.uk
Now I am able to authenticate via AzureAD
However, I have a colleague whose login_id is set to username@domain who is nonetheless unable to log in.
So this doesn't seem like a complete explanation although presumably it's playing a part.
Does anyone have any experience of these issues of mapping login values between AzureAD and Canvas?
Many thanks
Carol
Labels (1)
0 Kudos
1 Reply
carols
Community Participant

So I am replying to my own question, as I think I now understand what is going on here.

When we launched Canvas at our institution a few years ago, we enabled ADFS for all our user. After doing some investigation into the issue I reported above, I realised that the user logins record for each user was explicitly specifying that the authentication id of our ADFS integration was used, rather than the new AzureAD authentication.

 

Helpful REST API calls:

 

Authentication Providers - Canvas LMS REST API Documentation 

Logins - Canvas LMS REST API Documentation 

 

The newly added AzureAD authentication integration will show up as a record via the Authentication Providers API

 

When I examined the Logins API for a given user, I could see that the login was locked down to use ADFS

 

So in order to allow users to login via AzureAD, it is going to be necessary to update / add a logins record that permits use of AzureAD.

I hope this helps someone! 

(I've also added a comment describing this issue to the Canvas documentation on setting up AzureAD https://community.canvaslms.com/docs/DOC-1402-configuring-azure-saml-and-canvas-authentication )